Update 1: Third PrintNightmare CVE published (July 16th, 2021):
Microsoft published CVE-2021-34481 on July 15th for a local privilege escalation vulnerability. The third Print Spooler service vulnerability is considered separate from PrintNightmare (CVE-2021-34527), but it is still within a similar sphere of printer driver vulnerabilities. Gentilkiwi, the author of the Mimikatz utility, posted a demonstration of the exploit that can be seen here. Local SYSTEM privileges are attained through a malicious downloaded printer driver, even with Microsoft’s prior security patches. Disabling Printer Spooler service can prevent this vulnerability. Microsoft is working on a security patch.
Original Post (July 14th, 2021):
It is a tough job being a system administrator. The role involves maintaining infrastructure that is both functional and accessible to the users. Those requirements can be all-consuming even for a well-staffed team (among the handful of them). That is why the ongoing zero-day PrintNightmare (CVE-2021-1675 & CVE-2021-34527) exploit has been a nuisance for many admins. Even after several emergency software patches from Microsoft, systems with the Windows Print Spooler service (printer and printer server manager) enabled are potentially vulnerable to this remote code execution flaw.
Multiple security organizations have identified threat actors exploiting PrintNightmare on unpatched Windows servers in the wild. The zero-day affects any Windows servers used as Domain Controllers (DCs) and any Windows 10 device with the default settings that have not installed Microsoft’s July 7 patch. Additionally, any system with Point and Print enabled with the NoWarningNoElevationOnInstall option selected are potentially vulnerable even with the patch. Point and Print is a feature in Windows that lets users connect to a remote printer and download the configuration and drivers from the printer itself instead of needing to install drivers beforehand. Downloading directly from a remote device sounds a bit risky in and of itself (it may not be a big deal if the organization runs a tight ship), but in addition, the typical requirement that users have admin access to install a driver can be waived by an administrator if they deem accessibility a greater priority than security. When an organization decides to allow remote driver installation without admin elevation, they aren’t strictly choosing either security or accessibility as there are tradeoffs, but since we live in a world with zero-days the decision gets answered for us.
This graph displays the state of vulnerability before any patch. This was produced by Stan Hegt, a security researcher at Outflank.
Gentilkiwi, the author of the Mimikatz utility, posted a video demonstrating exploitation of Windows servers and workstations. Stan Hegt then built a new graph to demonstrate the vulnerability after Gentilkiwi’s post.
Microsoft published a patch on July 6th for CVE-2021-34527 (PrintNightmare) followed by an additional patch on the 7th for additional Windows OS’s. Researchers were quick to notice that the patch only covered a portion of the exploit. It initially fixed the remote code execution aspect, but did not address the local privilege escalation issue (CVE-2021-1675) that was a precursor to PrintNightmare. As it turns out, both the remote code execution flaw and the privilege escalation remain exploitable after the patch. Gentilkiwi found a way to bypass the patch by using different file path formatting and obtain SYSTEM privileges if the Point and Print policy are still enabled. Luckily, by default, Point and Print are not enabled.
To ensure your endpoints are safe against PrintNightmare and the associated privilege escalation vulnerability (CVE-2021-1675), install the latest security patches and either disable Point and Print entirely or remove the ability for non-administrators to install printer drivers using Point and Print.
Point and Print Mitigation:Delete/disable the registry keys if they exist:
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD)
NoWarningNoElevationOnUpdate = 0 (DWORD)
If you’re a WatchGuard customer, the the Firebox’s Intrusion Prevention System (IPS) has a signature (1139407) for the remote code execution exploit.
Administrators have taken the extreme measure to disable the Printer Spooler services for all devices in the organization. This can hamper some organizations day-to-day business more than others. As of now, manual workarounds are necessary until Microsoft publishes another patch.
For anyone not current on the PrintNightmare news, this timeline highlights important developments:
June 8th – Microsoft releases a low severity privilege escalation vulnerability patch for CVE-2021-1675.
June 21st – Microsoft updates the CVE-2021-1675 to severity to Critical and changes the impact to Remote Code Execution.
June 29th – Researchers published a Proof of Concept (PoC) of CVE-2021-1675* proving that it could be used for not just local privilege escalation but also remote code execution. They coined the name PrintNightmare for this elevated flaw and released PoC code thinking the June 8th patch also fixed this issue. That PoC write-up can be found here.
*The PoC was intended to demonstrate CVE-2021-1675, but it turned out to be a separate exploit that later became CVE-2021-34527. The researchers soon pulled the content, but not soon enough, as malicious hackers began using the exploit.
July 1st – Microsoft publishes CVE-2021-34527 that address the PrintNightmare vulnerability.
July 6th/7th – Microsoft updated CVE-2021-34527 and released an out-of-band patch.
July 6th – Researchers find the CVE-2021-34527 patch did not completely solve the PrintNightmare vulnerability. If the Point and Print is enabled, an attacker can still gain access.
July 14th – Researchers find a local privilege escalation vulnerability affecting the Printer Spooler service. Gentilkiwi demonstration can be seen here.
July 15th – Microsoft publishes CVE-2021-34481 for a local privilege escalation vulnerability affecting the Printer Spooler service. A security update has yet to be published.